As per specifications, I have registered my app with Google and have got Client ID and Client secret.Also i have mentioned callback URL.

Getting access token requires me to do

Redirect user to a certain URL with required query strings and headers as mentioned in OAuth document on Google site (https://accounts.google.com/o/oauth2/auth bla bla stuff)

After user enter their credentials, they are sent back to callback URL as mentioned in my APP which i have already registered with google. here querystring parameter &code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp6 bla bla is also appended to call back URL. Thus now have got authorization code

Once i have got this "access token" , i can access (say contact API and get user contacts)

Everything is fine upto this point. I also understand that access tokens have limited lifetime and we can get new access token using "refresh token".

A.As a developer, is it my responsibility to store and check if the "access token" is valid?

B. If my website is a public website with "Login with Google/FB/twitter" account, how do i know that its the same user who has returned back to site after 2 days and i dont need him to ask for login, instead user should be auto-logged in to site ? cauz i dont want him to go through the authorization process as they have already given permission to my app.

E.G : I have logged into TechCrunch website using my FB login and can comment on articles. Now even after 1 week if i visit to TechCrunch , i dont have to login again. how do they know that its me and i am already authenticated ?

1 Answer
1

When using OAuth 2.0, you get an access token which has an expire time sent along with it. Either you can keep track of when it expires or you can just keep using it until you get an INVALID_TOKEN error. Then you would need to call the refresh token service to get a new access token. Your refresh token is good until revoked.

This is OpenID, not OAuth. The flow is similar, but is for logging a user into your service. OAuth is for you retrieving the user's data from another account.

For B, so i need to implement OpenID thing on website so that users can login using FB/twitter/Google etc etc account and then OAuth separately so that i can pull their data. Correct me if my understanding is wrong.
–
NoobDeveloperSep 10 '11 at 16:11